Specifications
Research into the QNX6 file system in order to develop an Autopsy module to recover data (Full report in French ): QNX6_FileSystem_FullReport_FR - Rapport complet
This module has been developped for the forensic software Autopsy. It is able to recover data from a QNX6 device and generate the original file tree. It can also recover some deleted files from devices as well. For the time being, the whole image can not be passed to the module. It is necessary at first to extract the partitions.
Autopsy is required to run this module : [Autopsy | Digital Forensics]
In Autopsy, "Unallocated space image file" must be selected as type of data source in order to run the ingest module properly
Installation
Unzip the project archive in \autopsy\python_modules directory. At startup autopsy should detect the ingest module and it should be visible on the user interface as such:
More information to install python ingest modules: Autopsy User Documentation: Installing 3rd-Party Modules (sleuthkit.org)
Usage
Ingest module presentation : http://www.youtube.com/watch?feature=player_embedded&v=H9FppPDLrpY
<img src="http://img.youtube.com/vi/H9FppPDLrpY/0.jpg" alt="Inegst module presentation" width="240" height="180" border="10" />
Main features
-
Get file system metadata
-
Get files and directories metadata
-
Recover the original file tree
-
Recover some files that have been deleted from the file system
-
Files are extracted into : \AutosyCaseName\ModuleOutput\DataSourceName\PartitionX
-
Other ingest module ca be run on the extracted data
References
Special thanks to these projects that allowed me to develop this ingest module and to understand the QNX6 file system: